ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Clamwin vulnerability complicit in CIA hacking attempts
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
To start, I would like to politely say this isnt for generic comment. This is a critical issue that should be responded to by the AUTHORS/porters responsible for creating the Clamwin versions.

Wikileaks documents identify Clamwin as potential helper for CIA hacking (released this weak: https://wikileaks.org/ciav7p1/cms/page_27262995.html

Now, these documents or evidence may be old and related to old versions of Clamwin but this is something that should be reviewed, commented on and rectified where necessary by the man/men responsible for creating the Windows port.

FYI: Notepad++ was also identified similar. They have responded accordingly thus: https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html

A similar urgent review/response by Clamwin would be appropriate to save face and put users mind at ease (before users bin it as a security issue - especially now that the method has been released on the internet and malware writers now know how to attack.).
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 109
Location: USA
Reply with quote
Does this affect the installed version of ClamWin, too? Your link refers to ClamWin Portable which is a different project and not supported here.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
Its true it refers to Clamwin Portable but the detail also refers to the software looking in all the main %systemdisk% usual locations (see the screenshot) - this suggests to me that it may be true of the standard software too ('portable' applications usually hold everything within a single portable directory and do not refer to looking in c:\windows etc)......if, of course, it is still relevant to recent versions.

In any case, I personally cannot answer the question as I dont know (the above is only my opinion). I am just the messenger reporting the findings and asking for an official answer from whoever does the technical port/creation of the software.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4254
Location: USA
Reply with quote
Interesting...thanks for the information. I'll run it by Alch and see what he says. He may make a post here about it.

Most of the clamWin code comes from Clam AV, so "fixing it" probably means that we will have to wait for Clam AV to fix their code, and it will then be incorporated into the ClamWin Windows port when it is made.

Let us know of anything else like this that you run across. I don't think anyone is looking at the web on ClamWin's behalf--it will help if you do so. Thanks!

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
GuitarBob wrote:

Most of the clamWin code comes from Clam AV, so "fixing it" probably means that we will have to wait for Clam AV to fix their code, and it will then be incorporated into the ClamWin Windows port when it is made.

This is a VERY WINDOWS specific issue here and I doubt it has anything to do with the original CLamAV project on account it is code looking for windows-specific objects in windows-specific folders. (But what do I know).

I was fortunate to be on the receiving end of the ClamAV mail list and someone with more in-depth knowledge and interest )Steve@ SaneSecurity) happened to have posted it.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4254
Location: USA
Reply with quote
It appears that the quserex.dll file does not exist in the ClamWin /bin or /library folders. I can't find msgbox.dll or random.dll or sre.dll either. I think Lipper is right--this mostly pertains to ClamWin Portable, which is not really associated with the ClamWin project, and the ClamWin developers can not do anything about it other than inform the portable apps people about it.

I have never seen any malware target ClamWin specifically, probably because it has such a small user base in comparison to just about any other AV. It is interesting that the CIA looked at it. If users employ it as a backup scanner as recommended, any malicious impact due to this would be greatly minimized--even with the portable version.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
Im not so sure it is that simple. There are too many unknowns/variables that we are unaware of and assumptions being made just based on a single posting on tbe e
wikileaks page:

AT SOME POINT IN HISTORY the CIA new about such inclusions/loopholes and looked for them (if the wikileak entry is to be believed). But what we dont know:

a, how many DLL's (the list is large but the example of 3 or 4 is only an extract and not exhaustive)
b, if found by clamwin, what was then done with them - what implication doe sit have? How did the CIA use them?
c, what are those DLL's? Where did they come from? Windows? Clamwin? Something else?
d, on what flavour of clamwin? - just portable or also standard (as implied by the searching for files within WINDOWS directory - something that you wouldnt assume a portable version does).
e, how long ago was this. Consequently what version of Clamwin? 0.0.5? Long enough for such code or DLL inclusions to no longer be relevant/long been removed?

I think the only way to answer this is to have ALCH review the code, as it is NOW, and see if it is still relevant (no point worrying about loopholes that existed years ago and have long been closed). Then, inform portableapps of the same and ask them to look in to it from their port point of view.
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
The effected file is called "quserex.DLL". The other files listed are just examples of other dll files installed, which will mostly be different/modified on everyones system to avoid detection.

A search of my entire PC doesn't reveal the file on my system, so it's probably specific to portable apps.

DLL hijacking is usually due to poor protection code within the installer. NSIS has been coming up with ways to prevent DLL hijacking in their installer, and recent versions already have dll hijack prevention implemented.

Anyone can view the source code. Most of the code is just reused from ClamAV. The ClamWin port is managed by sherpya. The other is the plugin for outlook. Below are the links for them.

ClamAV source code: https://github.com/vrtadmin/clamav-devel

ClamWin port: https://github.com/clamwin/clamav-win32

Python extension for outlook: https://github.com/clamwin/pyc

The rest of the sourcecode: https://sourceforge.net/p/clamwin/code/ci/master/tree/
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
Looks like many favourites were being identified for potential hijacking: https://wikileaks.org/ciav7p1/cms/index.html

Including software ports from Thunderbird, Skype, Notepad++, Chrome and even McAfee and Kaspersky!
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Anyways, I don't think this is anything we need to worry about. The ClamAV team has some great malware researchers and I am sure if something like this existed in ClamAV, they would have fixed it right away. the Sourcefire VRT team was one of the best and now they have expanded to Cisco's Talos group. They are pretty large now.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4254
Location: USA
Reply with quote
RRK: Problem is that the vulns may exist in Windows only and not in Linux, for which Clam AV is written.

Alch has said today that he/Sherpya will look into this.

My opinion: most apps have some vulns. It is probably a good thing that this information has surfaced. I'm sure they will all be taken care of--especially any vulns in AVs. Maybe some application developers will set up programs to test/validate their app on a regular basis.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
GuitarBob wrote:
RRK: Problem is that the vulns may exist in Windows only and not in Linux, for which Clam AV is written.

Exactly. I think RRK missed the significance of this.
View user's profileSend private message
Clamwin vulnerability complicit in CIA hacking attempts
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic